Marcus Povey <marcus@dushka.co.uk>

* Call method now specified in api

git-svn-id: https://code.elgg.org/elgg/trunk@265 36083f99-b078-4883-b0ff-0f9b5a30f544

1 files changed, 84 insertions, 60 deletions

diff --git a/engine/lib/api.php b/engine/lib/api.php
index 2751e2166..b2696ade9 100644
--- a/engine/lib/api.php
+++ b/engine/lib/api.php
@@ -175,6 +175,7 @@
 	 * 	$METHODS = array (
 	 * 		"api.method" => array (
 	 * 			"function" = 'my_function_callback'
+	 * 			"call_method" = 'GET' | 'POST'
 	 * 			"parameters" = array (
 	 * 				"variable" = array ( // NB, the order is the same as defined by your function callback
 	 * 					type => 'int' | 'bool' | 'float' | 'string'
@@ -189,6 +190,14 @@
 	$METHODS = array();
 	
 	/**
+	 * Get the request method.
+	 */
+	function get_call_method()
+	{
+		return $_SERVER['REQUEST_METHOD'];
+	}
+	
+	/**
 	 * Validate a token against a given site. 
 	 * 
 	 * A token registered with one site can not be used from a different apikey(site), so be aware of this
@@ -224,11 +233,12 @@
 	 * @param string $method The api name to expose this as, eg "myapi.dosomething"
 	 * @param string $function Your function callback.
 	 * @param array $parameters Optional list of parameters in the same order as in your function, with optional parameters last.
+	 * @param string $call_method Define what call method should be used for this function.
 	 * @param bool $require_auth Whether this requires a user authentication token or not (default is true)
 	 * @param string $description Optional human readable description of the function.
 	 * @return bool
 	 */
-	function expose_function($method, $function, array $parameters = NULL, $require_auth = true, $description = "")
+	function expose_function($method, $function, array $parameters = NULL, $call_method = "GET", $require_auth = true, $description = "")
 	{
 		global $METHODS;
 		
@@ -244,6 +254,15 @@
 			if ($parameters!=NULL)
 				$METHODS[$method]["parameters"] = $parameters;
 				
+			$call_method = strtoupper($call_method);
+			switch ($call_method)
+			{
+				case 'POST' : $METHODS[$method]["call_method"] = 'POST'; break;
+				case 'GET' : $METHODS[$method]["call_method"] = 'GET'; break;
+				default : 
+					throw new InvalidParameterException("Unrecognised call method '$call_method'");
+			}
+				
 			$METHODS[$method]["description"] = $description;
 			
 			$METHODS[$method]["require_auth"] = $require_auth;
@@ -275,82 +294,87 @@
 		// See if we can find the method handler
 		if ((isset($METHODS[$method]["function"])) && (is_callable($METHODS[$method]["function"])))
 		{
-			$serialised_parameters = "";
-			
-			$validated_userid = validate_user_token($CONFIG->site_id, $token); 
-		
-			if ((!$METHODS[$method]["require_auth"]) || ($validated_userid) || (isloggedin()))
+			// See if this is being made with the right call method
+			if (strcmp(get_call_method(), $METHODS[$method]["call_method"]))
 			{
-				// If we have parameters then we need to sanitise the parameters.
-				if ((isset($METHODS[$method]["parameters"])) && (is_array($METHODS[$method]["parameters"]))) 
+				$serialised_parameters = "";
+				
+				$validated_userid = validate_user_token($CONFIG->site_id, $token); 
+			
+				if ((!$METHODS[$method]["require_auth"]) || ($validated_userid) || (isloggedin()))
 				{
-					foreach ($METHODS[$method]["parameters"] as $key => $value)
+					// If we have parameters then we need to sanitise the parameters.
+					if ((isset($METHODS[$method]["parameters"])) && (is_array($METHODS[$method]["parameters"]))) 
 					{
-						if (
-							(is_array($value)) 			// Check that this is an array
-							&& (isset($value['type']))		// Check we have a type defined
-						)
+						foreach ($METHODS[$method]["parameters"] as $key => $value)
 						{
-							// Check that the variable is present in the request
-
 							if (
-								(!isset($parameters[$key])) &&				// No parameter
-								((!isset($value['required'])) || ($value['required']!=true)) // and not optional
+								(is_array($value)) 			// Check that this is an array
+								&& (isset($value['type']))		// Check we have a type defined
 							)
-								throw new APIException("Missing parameter $key in method $method");
-							else
 							{
-								// Avoid debug error
-								if (isset($parameters[$key]))
+								// Check that the variable is present in the request
+	
+								if (
+									(!isset($parameters[$key])) &&				// No parameter
+									((!isset($value['required'])) || ($value['required']!=true)) // and not optional
+								)
+									throw new APIException("Missing parameter $key in method $method");
+								else
 								{
-									// Set variables casting to type.	
-									switch (strtolower($value['type']))
+									// Avoid debug error
+									if (isset($parameters[$key]))
 									{
-										case 'int':
-										case 'integer' : $serialised_parameters .= "," . (int)trim($parameters[$key]); break;
-										case 'bool':
-										case 'boolean': 
-													if (strcasecmp(trim($parameters[$key]), "false")==0) 
-														$parameters[$key]='';
-															
-													$serialised_parameters .= "," . (bool)trim($parameters[$key]); 
-													break;
-										case 'string': $serialised_parameters .= ",'" .  (string)mysql_real_escape_string(trim($parameters[$key])) . "'"; 
-													break;
-										case 'float': $serialised_parameters .= "," . (float)trim($parameters[$key]); 
-													break;
-			
-										default : throw new APIException("Unrecognised type in cast {$value['type']} for variable '$key' in method '$method'");
+										// Set variables casting to type.	
+										switch (strtolower($value['type']))
+										{
+											case 'int':
+											case 'integer' : $serialised_parameters .= "," . (int)trim($parameters[$key]); break;
+											case 'bool':
+											case 'boolean': 
+														if (strcasecmp(trim($parameters[$key]), "false")==0) 
+															$parameters[$key]='';
+																
+														$serialised_parameters .= "," . (bool)trim($parameters[$key]); 
+														break;
+											case 'string': $serialised_parameters .= ",'" .  (string)mysql_real_escape_string(trim($parameters[$key])) . "'"; 
+														break;
+											case 'float': $serialised_parameters .= "," . (float)trim($parameters[$key]); 
+														break;
+				
+											default : throw new APIException("Unrecognised type in cast {$value['type']} for variable '$key' in method '$method'");
+										}
 									}
 								}
 							}
+							else
+								throw new APIException("Invalid parameter found for '$key' in method '$method'.");
 						}
-						else
-							throw new APIException("Invalid parameter found for '$key' in method '$method'.");
 					}
-				}
-				
-				// Execute function: Construct function and calling parameters
-				$function = $METHODS[$method]["function"];
-				$serialised_parameters = trim($serialised_parameters, ", ");
-				
-				$result = eval("return $function($serialised_parameters);");
-			
-				// Sanity check result
-				if ($result instanceof GenericResult) // If this function returns an api result itself, just return it
-					return $result; 
 					
-				if ($result === FALSE)
-					throw new APIException("$function($serialised_parameters) has a parsing error.");
+					// Execute function: Construct function and calling parameters
+					$function = $METHODS[$method]["function"];
+					$serialised_parameters = trim($serialised_parameters, ", ");
 					
-				if ($result ===  NULL)
-					throw new APIException("$function($serialised_parameters) returned no value."); // If no value
+					$result = eval("return $function($serialised_parameters);");
 				
-				return SuccessResult::getInstance($result); // Otherwise assume that the call was successful and return it as a success object.	
-			}
+					// Sanity check result
+					if ($result instanceof GenericResult) // If this function returns an api result itself, just return it
+						return $result; 
+						
+					if ($result === FALSE)
+						throw new APIException("$function($serialised_parameters) has a parsing error.");
+						
+					if ($result ===  NULL)
+						throw new APIException("$function($serialised_parameters) returned no value."); // If no value
+					
+					return SuccessResult::getInstance($result); // Otherwise assume that the call was successful and return it as a success object.	
+				}
+				else
+					throw new SecurityException("Authentication token either missing, invalid or expired.", GenericResult::$RESULT_FAIL_AUTHTOKEN); 
+			}	
 			else
-				throw new SecurityException("Authentication token either missing, invalid or expired.", GenericResult::$RESULT_FAIL_AUTHTOKEN); 
-			
+				throw new CallException("$method must be called using '{$METHODS[$method]["call_method"]}'");
 		}
 		
 		// Return an error if not found
@@ -369,7 +393,7 @@
 	}
 	
 	// Expose some system api functions
-	expose_function("system.api.list", "list_all_apis", NULL, false, "List all available API calls on the system.");
+	expose_function("system.api.list", "list_all_apis", NULL, "GET", false, "List all available API calls on the system.");
 
 	
 	// PAM AUTH HMAC functions ////////////////////////////////////////////////////////////////